Wireless Access

Reply
Contributor I
Posts: 34
Registered: ‎03-14-2012

Multiple authentication options

We have 3600 controllers running 6.1.3.1, no ClearPass. My goal here is to create an SSID that is for medical equipment which does not belong to our AD domain and this equipment may not support methods such as certificates for machine authentication, so it needs to also support MAC authentication. So far I have built the Virtual AP that uses this new SSID profile and a MAC based AAA profile that uses the internal DB where I have placed my test machines MAC into. It also uses WPA2-PSK for network authentication and AES for encryption. So far this works just fine. I only want to use MAC authentication for those devices that don’t support certs, so now I want to add a cert to the list of authentication methods before MAC. What I am hoping to do here is that if a cert is on the machine it will authenticate and skip the MAC portion. If a cert is not on the machine it will fall through to the MAC portion to authenticate. If neither one matches then it is not allowed on. Is this possible or perhaps there is a better way to do this instead of a PSK? The machines will not be part of the AD domain, but the users do have accounts so perhaps it can be designed to use their AD account?

 

Thanks for your input!

Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: Multiple authentication options

No.

 

You cannot do PEAP or TLS AND PSK on the same WLAN.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎03-14-2012

Re: Multiple authentication options

OK, so scratch the PSK. What about PEAP or TLS with a fall through to MAC?

 

Is there a better way? Are there others out there with the need to support device types in one SSID that may not support the same authentication methods?

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: Multiple authentication options

i believe that PEAP / TLS with fall back on MAC should be possible. all fall within the posibilties of WPA(2) enterprise / dot1x.

Guru Elite
Posts: 20,808
Registered: ‎03-29-2007

Re: Multiple authentication options


11davie wrote:

OK, so scratch the PSK. What about PEAP or TLS with a fall through to MAC?

 

Is there a better way? Are there others out there with the need to support device types in one SSID that may not support the same authentication methods?


You will need a separate SSID for devices that only do PSK.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: